Techniques for separating the processing of clients&#39; traffic to different zones in software defined networks

ABSTRACT

A method and system for separation of traffic processing in a software defined network (SDN). The method comprises allocating a first group of computing resources of a computing farm to a trusted zone and a second group of computing resources to an un-trusted zone; assigning the computing resources in the first group to a first ADC and the computing resources in the second group with a second ADC; triggering a zoning mode in the computing frame to mitigate a potential cyber-attack; and causing at least one network element in the SDN to divert traffic from a trusted client to the first group of computing resources and traffic from an un-trusted client to the second group of computing resources based on a plurality of zoning rules implemented by the at least one network element.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of U.S. provisional application No.61/625,872 filed on Apr. 18, 2012, the contents of which are hereinincorporated by reference.

TECHNICAL FIELD

This invention generally relates to software defined networks (SDN), andparticularly to techniques for guaranteeing continuous services bycomputing resources connected to software defined networks.

BACKGROUND

A software defined network (SDN) is a relatively new type of networkingarchitecture that provides centralized control of network elementsrather than a distributed architecture utilized by conventionalnetworks. That is, in a distributed architecture each network elementmakes a routing decision based on the results of traffic processing anda distributed control mechanism. In contrast, in the SDN, a networkelement follows routing decisions received from a central controller. Indetail, the operation of a network element can be logically divided intoa “control path” and a “data path”. In the control path, controlprotocols, e.g., for building in routing protocols, a spanning tree, andso on, are operable. In the data path, packets-processing operations areperformed. Such operations include examining each input packet andmaking decisions based on the examination as to how to handle the inputpacket (e.g., packet forwarding, packet switching, bridging, loadbalancing, and so on). Furthermore, in a conventional network, networkelements typically include both a control plane and a data plane,whereas in a SDN, the network elements include the data path, and thecentral controller implements the control path.

The SDN can be implemented in wide area networks (WANs), local areanetworks (LANs), the Internet, metropolitan area networks (MANs), ISPbackbones, datacenters, and the like. Each network element in the SDNmay be a router, a switch, a bridge, a load balancer, and so on, as wellas any virtual instantiations thereof.

In one configuration of a SDN, the central controller communicates withthe network elements using an OpenFlow protocol which provides a networkabstraction layer for such communication. Specifically, the OpenFlowprotocol allows adding programmability to network elements for thepurpose of packets-processing operations under the control of thecentral controller, thereby allowing the central controller to definethe traffic handling decisions in the network element.

Traffic received by a network element that supports the OpenFlow isprocessed and routed according to a set of rules defined by the centralcontroller based on the characteristic of the required networkoperation. Such a network element routes traffic according to a flowtable and occasionally sends packets to the central controller. Eachnetwork element is preconfigured with a flow table and can be modifiedby the central controller as required. The operation of network elementsaccording to the OpenFlow protocol is further described in the “OpenFlowSwitch Specification”, Version 1.1.3, published on Apr. 16, 2012 by OpenNetworking Foundation, the contents of which are hereby incorporated byreference merely for the useful understanding of the background.

Thus, the OpenFlow protocol and SDN allow utilizing the hardware speedprocessing capability of conventional network elements while providingmore flexibility in the traffic packet-processing decisions. As notedabove, packets-processing operations include, but are not limited to,routing, load balancing, forwarding, switching, and bridging of packets.While the OpenFlow protocol allows the programmability of networkelements in the SDN, this protocol does not define how this capabilitycan be utilized to efficiently provide value added services including,but not limited to, security services to users of the SDN.

A significant problem facing the Internet community is that on-linebusinesses and organizations are vulnerable to malicious attacks.Recently, attacks have been committed using a wide arsenal of attacktechniques and tools targeting both the information maintained by theon-line businesses and their IT infrastructure. Hackers and attackersare constantly trying to improve their attacks to cause irrecoverabledamage, overcome currently deployed protection mechanisms, and so on.

Attacks and attack attempts are executed against servers and clients atdifferent layers (e.g., a network layer and an application layer).Attacks have become more sophisticated and their scope has also beenincreased. That is, a multitude number of infected machines and groupsof organized attackers take part in coordinated attack campaigns. Thus,it has become a significant challenge to secure online businesses andorganizations against targeted attack campaigns.

As a result, organizations and businesses lose revenue due tosecurity-related downtime, information theft, and the compromise ofconfidential information. Consequently, the organizations and businessessuffer immeasurable damage to their brand and image. In many cases, evenafter the attack has stopped, the remediation process can be a long andexpensive process. That is, it may take a long time to restore theservices/applications provided by the attacked site back to functioningproperly.

Currently available security systems cannot guarantee full protectionagainst a vast number of cyber threat categories and the numerous numberof attack vectors that exist to execute such threats. As a result, whena site or a data center is under attack, a portion of the site or theentire site may be idle, and legitimate clients cannot access theservers of the site, or they experience a very low service response(high latency). Examples for cyber-attacks include denial-of-service(DoS), intrusion type of attacks, buffer overflow attacks, misuse ofcomputing resources, and the like. Types of (web directed) attacksinclude, for example, web defacement attacks, cross site scriptingattacks, and more.

Although there are various security systems designed to detect,mitigate, and prevent cyber-attacks, there is no security system thatcan fully guarantee that such attacks will not succeed in negativelyimpacting the sites' services, and that clients of the site will not beaffected. Thus, when a site is under attack, there is always a chancethat the Quality of Service (QoS) is compromised and the service-levelagreement (SLA) cannot be guaranteed to the site's users.

It would therefore be advantageous to provide an efficient solution thatwould ensure continuous services and guarantee the SLA for legitimateand trusted clients even when the site is under attack.

SUMMARY

Certain embodiments disclosed herein include a method for separation oftraffic processing in a software defined network (SDN). The methodcomprises allocating a first group of computing resources of a computingfarm to a trusted zone and a second group of computing resources to anun-trusted zone; assigning the computing resources in the first groupwith a first address and the computing resources in the second groupwith a second address, wherein only the second address is advertised;triggering a zoning mode in the computing frame to mitigate a potentialcyber-attack; causing at least one network element in the SDN to divertan incoming traffic to the first group and the second group of computingresources based on a plurality of zoning rules implemented by the atleast one network element, wherein the plurality of zoning rules aredetermined by the central controller and determine that the traffic froma trusted client is directed to the first group of computing resourcesand the traffic from an un-trusted client is directed to the secondgroup of computing resources, thereby providing guaranteed SLA totrusted clients.

Certain embodiments disclosed herein also include a method for creatingat least one zoning rule that allows for separation of trafficprocessing in a software defined network (SDN). The method comprisesdetermining a trusted client based on a plurality of security riskindication parameters for each client accessing a computing farm;generating a list of trusted clients that includes an identifier of eachclient determined to be a trusted client; defining at least one actionfor traffic received from trusted clients, wherein the at least onezoning rule includes the list of trusted clients and actions defined forthe trusted clients; and conveying the plurality of zoning rules to atleast one network element in the SDN.

Certain embodiments disclosed herein also include a software definednetwork (SDN) that comprises at least one network element beingconnected to a plurality of clients through a computer network and to atleast one application delivery controller (ADC); and a centralcontroller for generating a plurality of zoning rules and instructingthe at least one network element to implement the plurality of zoningrules, thereby enabling separation of traffic processing by a computingfarm connected to the at least one ADC, wherein the separation oftraffic processing is performed in a zoning mode being triggered basedon an indication that a potential risk that a cyber-attack is about totake place against the computing farm or that the computing farm iscurrently under a cyber-attack.

Certain embodiments disclosed herein also include a central controlleroperable in a software defined network (SDN). The controller comprises aSDN interface for communicating with at least one network element in theSDN; an external system interface for receiving at least a plurality ofsecurity risk indication parameters and a plurality of zoning triggerparameters; a zoning module for determining if a zoning mode is requiredand for creating at least one zoning rule to be executed by the at leastone network element, wherein the at least one zoning rule allows forseparation of traffic processing in the SDN during the zoning mode,wherein the zoning mode is triggered based on an indication that apotential risk that a cyber-attack is about to take place against thecomputing farm or that the computing farm is currently under acyber-attack.

Certain embodiments disclosed herein also include a method forseparation of traffic processing in a software defined network (SDN)wherein the method is performed by a central controller of the SDN. Themethod comprises allocating a first group of computing resources of acomputing farm to a trusted zone and a second group of computingresources to an un-trusted zone; assigning the computing resources inthe first group to a first application delivery controller (ADC) and thecomputing resources in the second group with a second ADC; triggering azoning mode in the computing frame to mitigate a potential cyber-attack;and causing at least one network element in the SDN to divert a trafficaddressed to a single address of the computing farm to the first groupand the second group of computing resources based on a plurality ofzoning rules implemented by the at least one network element, whereinthe plurality of zoning rules determine that the traffic from a trustedclient is directed to the first ADC and the traffic from an un-trustedclient is directed to the second ADC, thereby providing a guaranteed SLAto trusted clients.

BRIEF DESCRIPTION OF THE DRAWINGS

The subject matter that is regarded as the invention is particularlypointed out and distinctly claimed in the claims at the conclusion ofthe specification. The foregoing and other objects, features, andadvantages of the invention will be apparent from the following detaileddescription taken in conjunction with the accompanying drawings.

FIGS. 1A and 1B illustrates a network system utilized to describe theseparated processing of trusted and un-trusted traffic according tovarious embodiments.

FIG. 2 illustrates a network system utilized to describe the separatedprocessing of trusted and un-trusted traffic according to anotherembodiment.

FIG. 3 is a flowchart describing the generating a set of zoning rulesaccording to one embodiment.

FIG. 4 is a flowchart describing a method for separating the processingof trusted and un-trusted traffic according to one embodiment.

FIG. 5 shows an exemplary and non-limiting block diagram of the centralcontroller constructed according to one embodiment.

DETAILED DESCRIPTION

The embodiments disclosed herein are only examples of the many possibleadvantageous uses and implementations of the innovative teachingspresented herein. In general, statements made in the specification ofthe present application do not necessarily limit any of the variousclaimed inventions. Moreover, some statements may apply to someinventive features but not to others. In general, unless otherwiseindicated, singular elements may be in plural and vice versa with noloss of generality. In the drawings, like numerals refer to like partsthrough several views.

Certain embodiments disclosed herein allow distinguishing betweentrusted and un-trusted clients accessing a site. An un-trusted clientcan be an anonymous client whose history, legitimacy, reputation, and/oridentity is unknown. There is a higher probability that an un-trustedclient will perform attack activities against the site. A trusted clientis a client whose identity and/or reputation is known as legitimate inall regards as to utilization of the services provided by the site. Asite includes a plurality of servers that provide services to theclients. The site may be part of a global computing (server) farmlocated in distributed geographical locations, a local server farm, or acombination thereof.

According to the embodiments disclosed herein, a determination is madeif a computing farm should operate in a zoning mode. This may occurduring a cyber-attack or a period of time when the site is considered tobe under high risk to be a target of a cyber-attack. This can be anytype of known and unknown attack including, for example, DoS, DDoS,intrusion attack, web defacement, cross site scripting, buffer overflow,misuse of computing resources, and the like.

In the zoning mode, the computing resources of the farm are dynamicallyallocated and separated to a trusted and an un-trusted zone. Thecomputing resources in the trusted zone are selected to ensure high SLAto trusted clients based, in part, on pre-defined and/or previouslylearned service usage characteristics.

Traffic from trusted clients is routed to the trusted zone, forprocessing therein. Traffic from un-trusted clients is not processed inthe trusted zone, thus enabling a delivery of a higher security SLA,availability, and better user experience to trusted clients. To thisend, traffic from all clients is continuously monitored, and based on aplurality of parameters described in detail below, it is determined if aclient is trusted or un-trusted. In addition, a plurality of parametersis evaluated to determine if the site should be switched to a zoningmode.

FIG. 1A shows an exemplary diagram of a network system 100 utilized todescribe the various embodiments disclosed herein. The network system100 includes a computing (server) farm 110 that includes two sites 111and 112 connected to a software defined network (SDN) 120 through an ADC130. Clients 140-1 and 140-2 communicate with servers in the farm 110through a computer network 150 and the SDN 120. The ADC 130 typicallydistributes clients' traffic between the servers in a server farm tobalance the load. The ADC traffic distribution rules are typically basedon the availability of the servers (health), the load on the servers,and other parameters such as the application persistency rules, globalload balancing, and so on. The ADC 130 may be a physical device thatexecutes virtual instances of ADCs. Each such virtual instance can beaddressed by a MAC address, a port number, a VLAN ID, an IP address, orany combination therefore. An example for an ADC that executes virtualinstances of ADCs can be found in a co-pending U.S. application Ser. No.13/405,816 titled “TECHNIQUES FOR VIRTUALIZATION OF APPLICATION DELIVERYCONTROLLERS” assigned to the common assigned and incorporated herein byreference. The computer network 150 may be a WAN, the Internet, a LAN,or a combination thereof. In certain deployments, one or more clients140 may be connected only to the SDN 120.

For the sake of simplicity, only two sites 111 and 112, and two clients140-1 and 140-2 are shown in FIG. 1A. However, the embodiments disclosedherein can be applied to any number of clients and sites. The clientsmay be located in different geographical locations. The sites may be adatacenter, a server farm, or combinations thereof. According to oneembodiment, each of sites 111 and 112 is designed to deliver the SLAincluding a security SLA guaranteed to each of the clients 140-1 and140-2. Without limiting the scope of the disclosed embodiments, the site111 is configured to be in an un-trusted zone whereas the site 112 isdefined as a trusted zone.

As shown in FIG. 1A, each of the sites 111 and 112 includes a pluralityof servers. The computing farm 110 may be a global server farm in whichthe sites 111 and 112 are geographically distributed, or a local serverfarm where all the servers reside in one center. According to oneembodiment, each of the sites 111 and 112 is assigned with a differentvirtual IP (VIP) address. For example, sites 111 and 112 are assignedwith VIP1 and VIP2 respectively. As will be discussed in greater detailbelow, one of the sites, e.g., site 111 is configured to handle trafficfrom un-trusted clients while site 112 processes traffic from trustedclients. With this aim, only the VIP of the site in the un-trusted zone(e.g., site 111 and its VIP1) is advertised. That is, a DNS request fromone of the clients 140 for an IP address of servers in the farm 110,returns the VIP of the site 111, e.g., VIP1.

The SDN 120 includes a central controller 121 and a plurality of networkelements 122. As noted above, a SDN can be implemented in wide WANs,LANs, the Internet, MANs, ISP backbones, datacenters, and the like. Thecentral controller 121 defines a set of a rules for the network elements122 such as how to process the traffic between the farm 110 and theclients 140. Each network element 122 in one exemplary configuration isa switch that implements SDN-based provisions protocols, e.g., theOpenFlow protocol, and communicates by means of this protocol with thecontroller 121. In the exemplary deployment illustrated in FIG. 1A, twonetwork elements 122-1 and 122-2 are shown. The network element 122-1 isconnected at the edge of the SDN 120 and receives traffic from theclients 140. The network element 122-2 is connected at the other edge ofthe SDN 120 and communicates with the ADC 130. It should be noted thatthe SDN 120 may include any number of network elements, each of whichcommunicates with the central controller 121.

It should be noted that the SDN 120 may include a plurality of centralcontrollers, each of which controls a group of network elements and cancommunicate with different ADCs locally or geographically connected todifferent sites. In addition, the plurality of central controllers maycommunicate with each other. In such embodiment, each group of sites canbe in a trusted zone, and a different group of sites can be located inan un-trusted zone.

According to various embodiments disclosed herein, the centralcontroller 121 performs a zoning process. The zoning process includesdetermining a list of trusted clients and a set of rules (hereinafter“zoning rules”) such as how to handle traffic received from trustedclients. The zoning process ensures that the trusted clients receive theguaranteed SLA and uninterrupted services.

The central controller 121 is configured with and continuously receives(e.g., through APIs), security risk indication parameters. Based onthese parameters the controller 121 computes a threat level value foreach of the clients 140. This value allows determining if a client istrusted or un-trusted.

The security risk indication parameters include at least one of: apre-compiled list of trusted clients per IP address, a reputation scoresper IP address or geographical region, application layer parameters(e.g., clients' cookies), a client unique identification (ID) token, anaffiliation of a client (e.g., a client belongs to a trusted company oris an internal client of the organization), parameters collected fromexternal and internal client authentication services (e.g., Radiusservers, LDAP servers, “call-back” procedure, etc.), geo analysis (e.g.,the origin of a client's traffic in comparison to other clients), a typeof content and/or application accessed by the client, behavioralanalysis (e.g., comparing the clients' behavior to a normal behavior ofthe client), and so on.

The central controller 121 further receives (e.g., through APIs) one ormore zoning trigger parameters that provide an indication as to whetherthe controller 121 should switch to a zoning mode. That is, a zoningtrigger parameter can indicate a potential risk that an attack is aboutto take place against the computing farm 110 or that the farm 110 iscurrently under attack. In one embodiment, once the zoning mode istriggered, the central controller 121 can convey the rules to one ormore of the network elements 122-1, 122-2.

The zone trigger parameter(s) can be received from any other externalsource, such as a network security manager, a security engine,reputation services servers, or media outlets (e.g., if the site name ismentioned in online media as being a target of cyber-attack groups). Thezone trigger parameter may be also a predefined rule, based upon whichthe central controller decides whether or not to switch to the zoningmode. For example, such a rule may be a predefined time window (e.g., acertain date, time in a day, or day in a week), geographical-location ofthe source traffic, a predefined pattern of content in the incomingtraffic, or traffic directed to a certain service (e.g., traffic to afinance application). In another embodiment, zoning trigger parametershaving predefined rules may be configured in a proactive policy saved inthe controller 121.

In one embodiment, one or more proactive policies can be implemented insituations where there is a high risk condition for an attack, evenbefore such an attack occurs. For example, activation of the trusted andun-trusted zones when a warning about a possible attack has been raised,or in a certain hour in a day, or during a holiday vacation when most ofthe information technology (IT) team is not present at the site, or inresponse to a specific event to which attackers may react in attackingthe site. In another embodiment, the zone trigger parameter may be anexternal trigger from a user (e.g., a system administrator or a networksecurity manager), and so on. In yet another embodiment, the switchingto zoning mode is based on one or more proactive policies and zoningtrigger parameters defined therein.

When switching to the zoning mode, traffic from the one or more trustedclients should be diverted to the site 112 in the trusted zone. As willbe discussed below, the diversion of traffic to the site 112 is achievedby the set of zoning rules created by the central controller 112 andexecuted in accordance with rules administered by the one or more of thenetwork elements 122-1, 122-2.

As mentioned above, a threat level value is computed for each clientbased on one or more of the security risk indication parameters. Thisvalue may be a binary value, a color-coded value (e.g., red, green andyellow), or any numerical value that can be utilized to determine if theclient should be treated as a trusted or un-trusted client. Thecomputation of the threat level value may be based on a score assignedto each parameter and the level may be determined based on the scores ofthe parameters applicable for the client. This allows providing acertain weight to certain parameters. The computation of the threatlevel value may be, for example, an average or weight average of thescores. A computed threat level value may be compared to a predefinedthreshold to determine if the client is a trusted client. The threatlevel may be set to a value indicating that the client should be labeledas trusted based on a single predefined parameter. For example, if theclient's IP is in a pre-compiled list of trusted IP addresses, then thevalue may be set to indicate that the client should be labeled astrusted.

A zoning rule defines for each trusted client the action that should betaken, i.e., whether the traffic should be diverted to the site 112 andhow the diversion should be performed. Specifically, the action definesthat a destination IP address in each packet received from a trustedclient should be changed to the VIP address of the site 112 in thetrusted zone. Another action requires that for any packet received fromthe site 112 with a destination IP address of a trusted client, thesource IP address should be changed to the address of the site 111 inthe un-trusted zone (e.g., VIP1). As noted above, only the VIP1 of thesite 112 is advertised. Another zoning rule defines that all packetsreceived from the clients 140 with a destination IP address of the site112 (e.g., VIP2) should be dropped, because such traffic is suspicious(as VIP2 is not a known address).

The set of zoning rules is conveyed to one or more of the networkelements 122-1 and 122-2 which execute these rules on each packetreceived from the clients 140 and the ADC 130. It should be noted thateach network element can perform all of the zoning rules or part of thezoning rules. For example, the network element 122-1 may implement therules that require changing the IP destination address and the droppingof suspicious packets, while the network element 122-2 can perform theaction that requires changing the source IP address. Again, the SDN 120may include a single network element that would perform and implementall the zoning rules.

Following is a non-limiting example for the process of separatingtraffic processing to sites in different zones. In the followingexample, it is assumed that client 140-1 is a trusted client. Primarily,traffic from clients 140-1 and 140-2 is directed to the site 111. Thedestination IP address of packets originated at the clients 140-1 and140-2 is VIP1. In the zoning mode, the zoning rules are sent to thenetwork elements 122 which process the traffic, in part, according tothese rules. Specifically, traffic from client 140-2 received at thenetwork element 122-1 is sent to the original destination, i.e., site111. Traffic from the trusted client 140-1 is diverted to the site 112in the trusted zone. With this aim, the destination address of packetsreceived from the client 140-1 is changed to indicate the IP address ofsite 112, e.g., VIP2. To maintain compliance in the responses receivedfrom the servers in the site 112, the source address of packets receivedfrom the site 112, is changed to indicate the original IP address, e.g.,VIP1. As noted above, modifying the address fields in the packets sentfrom or to the trusted client 140-1 is performed by any of the networkelements 122.

It should be noted that the ADC 130 can balance the traffic between thesites 111 and 112 when operating in a “normal” mode of operation andduring the zoning mode. The load balancing can be performed based onglobal load balancing criteria. Such criteria include, but are notlimited to, proximity between a client and site, latency, cost, and soon.

Because the site 112 in the trusted node processes only traffic thatoriginates in trusted clients, the SLA can be guaranteed to such clientsas the site 112 will be less likely impacted by an ongoing attack. Thesite 111 in the un-trusted zone can process the traffic to mitigate anyattack executed by un-trusted clients (e.g., client 140-2). The site 111may also collect information about the behavior of the un-trustedclients in order to learn the type of the attack being performed in casean attack is really executed. Such forensics information can be sharedwith a security organization (SOC) and/or utilized to develop counterattacks or new mitigation techniques.

In one embodiment, the site 112 is a replica of the site 111 (i.e.,includes the same computing resources and service content as in the site111) which has been designed to efficiently support all clients (trustedand un-trusted) that access the computing farm 110. Thus, the site 112in the trusted zone can efficiently support and provide the guaranteedSLA to a subset of clients (only trusted clients). In anotherembodiment, only a set of servers in the site 112 can be pre-allocatedto process traffic of trusted clients diverted by network elements 122,when additional servers may be added ah-hoc based on the volume oftraffic.

According to another embodiment, a set of servers in each of the sites111 and 112 may be configured as a trusted zone while the other serversare in the un-trusted zone. The traffic from the trusted clients will bediverted to the servers in the “trusted zone” in either of the sites.Traffic from trusted clients can be load-balanced among the serversallocated to the trusted zone in the sites 111 and 112 based, in part,on global load balancing criteria.

FIG. 1B shows a different configuration of the network system 100 inwhich the separation of traffic processing is achieved according toanother embodiment. In this embodiment, at least one ADC is connected toeach site in the computing farm. In the exemplary FIG. 1B, ADCs 131 and132 are connected respectively to sites 111 and 112. As noted above, thesite 111 is configured to be in an un-trusted zone whereas the site 112is defined as a trusted zone. Thus, the ADC 131 serves traffic fromun-trusted clients and ADC 132 serves traffic from trusted client.According to this embodiment, traffic to both sites 111 and 112 isaddressed to the same IP address, e.g., VIP1, where the centralcontroller 101 instructs the edge network element 122-2 to which of theADCs 131, 132 to send the traffic received from the clients 140-1 and140-2. That is, under attack the ADC 132 and the site 112 serves trustedclients, while all the traffic generated by un-trusted clients ishandled by the ADC 131 and the site 111 operable in an un-trusted zone.As noted above, each of the ADCs 131 and 132 may be a physical devicethat executes virtual instances of ADCs.

To this end, once a list of trusted clients is determined by thecontroller 101 the zoning rules are created. In this embodiment, azoning rule may include directing traffic received from a trusted clientto the ADC 132. The ADC 132 may be identified by a port number in theelement 122-2, a VLAN ID, a MAC address, an IP address, or a combinationthereof. It should be noted that the embodiment illustrated in FIG. 4B,provides another level of traffic separation realized by the differentADCs. That is, the traffic separation is not realized through sites inthe farm, but also by additional components (ADCs) along the pathbetween clients and servers of the farm. Thus, isolation of computingresources is achieved through separate ADCs per different client types.

In one embodiment, a complete isolation of traffic between trusted andun-trusted clients is achieved. According to this embodiment, thetraffic is routed from the trusted client 140-1 to the site 111 throughnetwork elements and the ADC 132 which construct a trusted path. Withthis aim, the controller 110 establishes the trusted path by causing thenetwork elements to route traffic to and from a trusted client throughselected network elements and network links in the network. For example,as shown in the exemplary FIG. 1B, a trusted path is established overlinks L1-L4 and through network elements (NE) 122-1, 122-2 and 122-3.Although not shown in FIG. 1B, the trusted path may also include“standard” network appliances, such as switches, routers, firewalldevices, and the like. It should be noted that the routing traffic fromtrusted clients over trusted paths allow separating the traffic routingof trusted clients from the traffic routing of un-trusted clients.

FIG. 2 shows an exemplary diagram of a network system 200 utilized todescribe another embodiment for performing the zoning process. Thesystem 200 includes a computing farm 210 with a number of N servers S₁through S_(N) connected to an ADC 220. In one configuration, the ADC 220is also connected to a security engine 230. The farm 210 providesservices to clients 240-1 and 240-2, which communicate with the ADC 220,in part, through a SDN network 250. The SDN network 250 includes acentral controller 251 and at least one network element 252 thatimplements a SDN defined provisioning protocol, such as the OpenFlowprotocol. The connection between the clients 240 and the network element252 may be facilitated through a computer network discussed in detailabove. The computing farm 210 may be a local server farm, a globalserver farm, a data center, or a combination thereof.

According to this embodiment, the ADC 220 and/or the security engine 230provides the central controller 251 with a list of trusted clients. Thislist may include a source IP of each trusted client. In an exemplaryembodiment, the ADC 220 and/or security engine 230 performs a processthat generates a list of trusted clients.

In another embodiment, the list may also include a user name and/orother unique identifier (e.g., cookie) of the user. Because the ADC 220can process packets at layer-4 to layer-7 of the OSI model, the trustedclients can be identified by layer-4 to layer-7 parameters, such as usernames, cookies, and the like. The controller 251 generates the zoningrules based on these parameters.

The ADC 220 is configured with and continuously receives security riskindication parameters, for example, for the security engine 230. Usingthese parameters, the ADC 220 computes a threat level value for eachclient 240, as discussed in detail above. Primarily, traffic from bothclients 240-1 and 240-2 is distributed among all the active servers S₁to S_(N). The traffic is monitored and the client threat level iscomputed. When switching to a zoning mode (based in part on the zoningtrigger parameters described above), a first group of servers isallocated to a trusted zone 260 and a second group of servers isallocated to an un-trusted zone 270. In one embodiment, the ADC 220 isconfigured with the servers that should be included in each zone. Inanother embodiment, the ADC 220 selects dynamically and in real-time theservers to be allocated to the trusted zone 260. The selection isperformed in such a way that trusted clients will always receive theguaranteed SLA.

Each group of severs in the respective zone is assigned with a differentvirtual IP (VIP) address. For example, servers in the zone 270 areassigned with an address VIP 1 while servers in the zone 260 areassigned with the address VIP2. As noted above, only the address ofservers in the un-trusted zone 270, e.g., VIP1 is advertised.Accordingly, all clients address their traffic to VIP1 address. Thenetwork element 252, based on the zoning rules received from thecontroller 251, determines if each received packet is being sent to orfrom a trusted client, and if so, the element 252 applies the respectiveaction defined in the rule. Examples for the zoning rules are providedabove.

The network element 252 may determine if a client is a trusted clientbased on an IP address and/or other unique identifiers (defined above)of the client. As noted earlier, for trusted clients the destinationaddress is replaced with the address of servers in the trusted zone 260,e.g., VIP2. The network element 252 further replaces the source addressof response packets received from servers in the trusted zone 260 withthe advertised address, e.g., replacing VIP2 with VIP1.

In one embodiment, the allocation of computing resources including, forexample, servers and network resources to each zone can be performedbased on a learning mechanism and a load profile baseline creation.Specifically, a load profile while in “normal” (not under attack) of thesite 200 is computed. The load profile summarizes the typical loadcharacteristics of each trusted client or a group of trusted clients.The load profile may further register the load characteristics ofdifferent client groups originating from different locations. The loadcharacteristics are per different times of the day, week, etc. When thesite is under attack, the load profile can be used to calculate how todynamically separate the farm 210, i.e., how many servers to allocate tothe trusted zone 260 and how many servers to be assigned to theun-trusted zone 270.

In another embodiment, weights can be assigned to various allocationcriteria. For example, there should always be at least five servers inthe trusted zone, and per traffic characteristics, more servers areadded if specific transactions and/or applications are invoked. Inanother embodiment, the farm 210 may include a group of dedicatedservers that are provisioned and used only at the zoning mode of thesite. Thus, when the farm 210 operates in a zoning mode, the capacity ofthe farm is increased. In another embodiment, each server in the farm210 is assigned with a SLA number that indicates which group of clientsthe server can serve. If a server is assigned with a SLA number thatcorrelates to trusted clients, then this server can process only trafficreceived from trusted clients. These SLA numbers can be dynamicallychanged. Allocation of servers to the trusted zone may also includeassigning a new VIP address to such servers and performing gracefultermination of computed sessions executed therein.

As mentioned above, as the servers in the trusted zone 260 processesonly traffic that originates from trusted clients, the SLA can beguaranteed to the trusted clients, e.g., client 240-1, as the servers inthe trusted zone 260 will be less likely impacted by an attack. In oneembodiment, the ADC 210 monitors the resources utilized to processtraffic from trusted clients and determines if more resources (i.e.,servers) should be allocated to the trusted zone 260 to ensure the SLAto trusted clients.

According to another embodiment, to the local computing farm 210 shownin FIG. 2, at least two ADCs may be connected, each of which isconnected to a different group of servers located in the trusted zone260 and un-trusted zone 270. In this embodiment, only one VIP isutilized to address traffic to the farm 210 where the traffic separationis performed by the central controller 251. To this end, the trafficcontroller 251 instructs the network element 252, by means of the zoningrules to which of the at least two ADCs traffic from trusted clientsshould be directed to. For example, each source IP address of a packetreceived from a client considered to be a trusted client is forwarded tothe ADC (not shown in FIG. 2) connected to the trusted zone 260.

It should be noted that the teachings disclosed herein are alsoapplicable to hybrid networks in which a SDN is a sub-network of aconventional network in which its elements cannot be programmed by acentral controller. To allow the proper operation of the methodsdisclosed above in the hybrid network, at least one of the networkelements in the diversion path (i.e., from the client to the ADC) shouldbe adapted to allow programmability by the central controller adapted tooperate in a SDN-based network.

FIG. 3 shows an exemplary and non-limiting flowchart 300 illustrating amethod for generating the set of zoning rules according to oneembodiment. The method is performed by a central controller deployed andoperable in a SDN. At S310, a list of trusted clients that can accessresources of a computing farm is determined. The list includes for eachtrusted client at least its IP address. In another embodiment, eachclient in the trusted zone can be also identified by an applicationlayer unique identifier, such as a user name, a cookie, and the like.The application layer unique identifier can be in addition to or insteadof the IP address of the client. A client is determined to be a trustedclient based on the threat level value computed using one or moresecurity risk parameters. Then, the computed threat level value iscompared to a predefined threshold related to the computed threat levelvalue to determine if the client is trusted or un-trusted. The securityrisk parameters and the computation of the threat level value arediscussed in detail above. The predefined threshold relates to thecomputed threat level value or a binary value associated with the threatlevel value. In another embodiment, the threat level value iscolor-coded, thus the determination is based on its color (e.g., red isan un-trusted client). For example, if the risk indication parametersinclude a list of trusted client, then the threat level value for clientdesignated in the list is set ‘0’ indicating a binary value of a trustedclient. In one embodiment, the list of trusted clients is received froman external system, for example, an ADC.

At S320, for each trusted client a set of actions is created. Theactions define in part how to divert traffic received from trustedclients or sent to such clients. In one embodiment, actions are furtherdefined to handle suspicious traffic. Following are non-limitingexamples for actions that are created:

1. Match: IP.SRC_IP in {Trusted List} and from CLIENT

-   -   Action: CHANGE IP.DST_IP to VIP2

2. Match: IP.DST_IP in {T1} and from SERVER through ADC

-   -   Action: CHANGE IP.SRC_IP to VIP1

3. Match: IP.DST_IP==VIP2 and from ANY CLIENT

-   -   Action: DROP

The matches are performed against the source and destination IP addressfields in the received packets as well as to the interface from wherepackets are received. In this example, the VIP1 is an advertised IPaddress of the computing farm and VIP2 is the address of the servers (orsite) in the trusted zone.

In the embodiment where each site of group of servers in a trusted andun-trusted zone are connected to a different ADC and the traffic isaddressed only to one virtual IP address identifying the farm, the zonerules generated by the controller are defined to direct the traffic tothe ADC serving the trusted zone. A non-limiting example for such a rulemay be:

-   -   Match: IP.SRC_IP in {Trusted List} and from CLIENT    -   Action: Direct Packet with IP.SOURC_IP to PORT#1

In this example, PORT#1 is connected to the ADC serving the trustedzone. As noted above, the ADC can be identified by a VLAN ID, a portnumber, a MAC address, an IP address, or combination thereof.

At S330, the set of zoning rules are sent to one or more networkelements in the SDN together with an instruction to execute these ruleson incoming traffic. It should be noted that different zoning rules canbe sent to and executed by different network elements. In oneembodiment, the rules are sent to the various network elements only whenswitching to the zoning mode. It should be noted that when not operatingin the switching node, the network elements route traffic according tothe standard routing configuration and the ADC load balances the trafficaccording its standard load balancing schema. As noted above, thecontroller decides to switch to a zoning mode based on one or more ofthe zoning trigger parameters.

FIG. 4 shows an exemplary and non-limiting flowchart 400 illustratingthe method for separating the processing of traffic received fromclients according to one embodiment. The method is performed when it isdetermined, based on one or more zoning trigger parameters, that thecomputing farm should be switched to a zoning mode.

At S410, trusted and un-trusted zones are created by allocating serversof the computing farm to each zone. Various embodiments for allocatingsufficient resources to each zone are discussed above. Optionally, atS420, servers allocated to the trusted zone are assigned with anaddress, e.g., a VIP address different than the servers in theun-trusted zone. As mentioned above, when multiple ADCs are utilized toseparate traffic to different zones that computing farm could beaddressed through a single address, thus S420 is optional.

At S430, a packet is received at a network element of a SDN. The packetcan be received from a client or an ADC connected to the computing farm.At S440, it is checked, by the network element, if at least one of thezoning rules should be applied on the received packet. According tocertain embodiments, S440 includes at least one of: matching a source IPaddress of packets received from clients against addresses in thetrusted list; matching the source IP address of packets received fromthe ADC against the address assigned to servers in the trusted zones;and matching a destination IP address of packets received from clientsagainst the address of servers in the trusted zone. If S440 results witha Yes answer execution continues with S450; otherwise, executionproceeds to S460 where the packets are routed to the next hop in thenetwork based in part on the source and destination IP addressesdesigned in the packets.

At S450, an action defined in each rule that should be applied on thereceived packet is performed. According to certain embodiments, S450includes changing the destination IP address of packets received fromthe clients to VIP2 (the address of servers in the trusted zones) if thesource IP address of packets matches an address mentioned in the trustedlist; changing the destination IP address of packets received from theADC to include the address VIP1 (the advertised address) if the sourceIP address of the received packets matches the address assigned toservers in the trusted zones; dropping packets received from the clientshaving the same destination IP address as the address of servers in thetrusted zones (e.g., VIP2); and forwarding traffic to one of the ADCsserving the trusted zone. Thereafter, execution continues with S460.

The traffic diversion performed by the network elements based on thezoning rules created by the central controller ensures that traffic fromtrusted clients is always forwarded to servers in the trusted zone,while traffic from un-trusted clients is forwarded to servers in theun-trusted zone. As mentioned above, additional servers may be added tothe trusted zone, as need, to ensure high SLA and performance to trustedclients. In an embodiment, the classification of clients as trusted andun-trusted can also be performed when the farm (or site) does notoperate in the zoning mode.

It should be noted that the method disclosed hereinabove provides asimple mechanism to divert traffic to and from trusted clients to sitesor datacenters that can guarantee continuous services and high SLA, andaims to solve at least the complexity associated with the conventionalsolutions for diverting in the network. The diverted traffic may be forprotocols that allow redirection of traffic in the application layer(e.g., HTTP, SIP, etc.) and protocols that do not allow redirection(e.g., SMTP, UDP, etc.). It should be further noted that the embodimentsdisclosed herein allow processing of traffic from all clients thataccess the farm, regardless of being trusted and un-trusted, thus thereis no false positive related to blocking of legitimate traffic.

FIG. 5 shows an exemplary and non-limiting block diagram of a centralcontroller 500 constructed according to one embodiment. The centralcontroller 500 is operable in SDNs and is at least configured to executethe zoning process described in greater detail above. The controller 500includes a processor 510 coupled to a memory 515, a zoning diversionmodule 520, a SDN-interface module 530, and an interface 540 to anexternal system.

The SDN-interface module 530 allows the communication with the networkelements of the SDN. In one embodiment, such communication uses theOpenFlow protocol through which a secure channel established with eachnetwork element. The interface 540 provides an interface to an externalsystem, such as, but not limited to, an attack detection device, asecurity management system, and the like.

The zoning module 520 is configured to determine if a zoning mode shouldbe applied. In addition, the zoning module 520 generates the zoningrules as defined in detail above. The module 520 communicates with thenetwork elements through the SDN-interface 530. The processor 510 usesinstructions stored in the memory 515 to execute tasks traditionallyperformed by the central controllers of SDN and optionally for executionof the tasks performed by the modules 520, 530 and 540. The controller500 in another embodiment includes a combination of application specificintegrated circuits and processors. In a further embodiment thecontroller 500 is distributed across several devices and processors.

The foregoing detailed description has set forth a few of the many formsthat different embodiments of the invention can take. It is intendedthat the foregoing detailed description be understood as an illustrationof selected forms that the invention can take and not as a limitation asto the definition of the invention.

Most preferably, the various embodiments discussed herein can beimplemented as hardware, firmware, software, or any combination thereof.Moreover, the software is preferably implemented as an applicationprogram tangibly embodied on a program storage unit or computer readablemedium. The application program may be uploaded to, and executed by, amachine comprising any suitable architecture. Preferably, the machine isimplemented on a computer platform having hardware such as one or morecentral processing units (“CPUs”), a memory, and input/outputinterfaces. The computer platform may also include an operating systemand microinstruction code. The various processes and functions describedherein may be either part of the microinstruction code or part of theapplication program, or any combination thereof, which may be executedby a CPU, whether or not such computer or processor is explicitly shown.In addition, various other peripheral units may be connected to thecomputer platform such as an additional data storage unit and a printingunit. Furthermore, a non-transitory computer readable medium is anycomputer readable medium except for a transitory propagating signal.

What is claimed is:
 1. A method for separation of traffic processing ina software defined network (SDN), wherein the method is performed by acentral controller of the SDN, comprising: allocating a first group ofcomputing resources of a computing farm to a trusted zone and a secondgroup of computing resources to an un-trusted zone; assigning thecomputing resources in the first group with a first address and thecomputing resources in the second group with a second address, whereinonly the second address is advertised; receiving at least one zoningtrigger parameter at the central controller that provide an indicationas to whether the central controller should switch from a non-zoningmode to a zoning mode; evaluating the at least one zoning triggerparameter to determine if a zoning mode should be initiated in thecomputing frame to mitigate a potential cyber-attack; triggering thezoning mode by the central controller in the computing frame to mitigatea potential cyber-attack based on the evaluation of the one or morezoning trigger parameters; causing at least one network element in theSDN to divert an incoming traffic to the first group and the secondgroup of computing resources based on a plurality of zoning rulesimplemented by the at least one network element, wherein the pluralityof zoning rules are determined by the central controller and determinethat the traffic from a known trusted client is directed to the firstgroup of computing resources and the traffic from an un-trusted clientis directed to the second group of computing resources, therebyproviding guaranteed SLA to trusted clients.
 2. The method of claim 1,wherein the plurality of zoning rules defines at least a list of trustedclients, an action to be performed when the traffic is received fromeach trusted client, and an action to be performed when a traffic issent back to each trusted client.
 3. The method of claim 2, wherein theplurality of zoning rules further defines at least one action forhandling traffic received from suspicious clients.
 4. The method ofclaim 3, wherein each trusted client in the list of trusted clients isidentified by at least its IP address or a range of IP addresses.
 5. Themethod of claim 4, wherein the plurality of zoning rules include:matching a source address of the traffic received from a client againstthe IP addresses listed in the trusted list and changing the destinationaddress of the traffic received from the client to designate the firstaddress when a match exists; matching a destination address of trafficdirected to a client against the IP addresses listed in the trusted listand replacing the source address of the traffic directed to the clientfrom the first address to the second address when a match exists; andmatching a destination address of traffic received from clients againstthe first address and dropping the traffic when a match exists.
 6. Themethod of claim 1, wherein the trusted clients are determined based on aplurality of security risk indication parameters.
 7. The method of claim1, further comprising: computing a threat level value for each clientaccessing the computing farm; comparing the computed threat level valueto a predefined threshold; and determining a client to be a trustedclient based on the comparing of the computed threat level value and thepredefined threshold.
 8. The method of claim 7, wherein computing thethreat level value includes: assigning a score to a plurality ofsecurity risk indication parameters, wherein the score determines howthe risk indication parameters are applicable for the client; andcalculating the threat level value as a weighted average of scoresassigned to the risk indication parameters.
 9. The method of claim 1,wherein the computing resources are dynamically allocated to the firstgroup.
 10. The method of claim 1, wherein the computing resources areconnected to an application delivery controller (ADC), wherein thetraffic from a trusted client is directed to the first group ofcomputing resources over a secured path established through the at leastone network element and the ADC.
 11. The method of claim 10, wherein theADC is a virtual appliance that includes at least two virtual instancesof ADCs, wherein the traffic to the first group of computing resourcesare directed through a first virtual instance and the traffic to thesecond group of computing resources are directed through a secondvirtual instance of the at least two virtual instances of the ADC,wherein each one of the at least two virtual instances is addressed byat least one of: a port number, a MAC address, and a VLAN ID, and an IPaddress.
 12. The method of claim 1, wherein the traffic diversion istransparent to an application protocol utilized by the clients.
 13. Themethod of claim 1, wherein triggering the zoning mode is performed basedon a plurality zoning trigger parameters, wherein each of the pluralityof zoning trigger parameters indicating a potential risk that acyber-attack is about to take place against the computing farm or thatthe computing farm is currently under a cyber-attack.
 14. A computersoftware product embedded in a non-transient computer readable mediumcontaining instructions that when executed on the computer perform themethod of claim
 1. 15. A software defined network (SDN), comprising: atleast one network element being connected to a plurality of clientsthrough a computer network and to at least one application deliverycontroller (ADC); and a central controller for generating a plurality ofzoning rules and instructing the at least one network element toimplement the plurality of zoning rules, thereby enabling separation oftraffic processing by a computing farm connected to the at least oneADC, wherein the separation of traffic processing is performed in azoning mode being triggered based on an indication that a potential riskthat a cyber-attack is about to take place against the computing farm orthat the computing farm is currently under a cyber-attack, wherein saidindication is determined via the receipt of at least one zoning triggerparameter at the central controller.
 16. The software defined network ofclaim 15, wherein the central controller and the at least one networkelement communicates using a SDN-based provisioning protocol.
 17. Thesoftware defined network of claim 15, wherein the central controller isfurther connected to at least one external system to receive a pluralityof security risk indication parameters allowing the central controllerto determine if a client is trusted, and a plurality of zoning triggerparameters allowing the central controller to determine if a zoning modeshould be triggered, wherein the at least one external system includesat least one of: an attack detection device and a security managementsystem.
 18. A central controller operable in a software defined network(SDN), comprising: a SDN interface for communicating with at least onenetwork element in the SDN; an external system interface for receivingat least a plurality of security risk indication parameters and aplurality of zoning trigger parameters; a zoning module for determiningif a zoning mode is required and for creating at least one zoning ruleto be executed by the at least one network element, wherein the at leastone zoning rule allows for separation of traffic processing in the SDNduring the zoning mode, wherein the zoning mode is triggered based on anindication that a potential risk that a cyber-attack is about to takeplace against the computing farm or that the computing farm is currentlyunder a cyber-attack, wherein said indication is determined via thereceipt of at least one zoning trigger parameter at the centralcontroller.
 19. The software defined network of claim 18, wherein thecentral controller and the at least one network element communicatesusing a SDN-based protocol.
 20. A method for separation of trafficprocessing in a software defined network (SDN) wherein the method isperformed by a central controller of the SDN, comprising: allocating afirst group of computing resources of a computing farm to a trusted zoneand a second group of computing resources to an un-trusted zone;assigning the computing resources in the first group to a firstapplication delivery controller (ADC) and the computing resources in thesecond group with a second ADC; receiving one zoning trigger parameterat the central controller that provide an indication as to whether thecentral controller should switch from a non-zoning mode to a zoningmode; evaluating the one zoning trigger parameter to determine if azoning mode should be initiated in the computing frame to mitigate apotential cyber-attack; triggering the zoning mode in the computingframe to mitigate a potential cyber-attack; and causing at least onenetwork element in the SDN to divert a traffic addressed to a singleaddress of the computing farm to the first group and the second group ofcomputing resources based on a plurality of zoning rules implemented bythe at least one network element, wherein the plurality of zoning rulesdetermine that the traffic from a trusted client is directed to thefirst ADC and the traffic from an un-trusted client is directed to thesecond ADC, thereby providing a guaranteed SLA to trusted clients. 21.The method of claim 20, wherein the at least one zoning rule includes:matching a source address of the traffic received from a client againstthe IP addresses listed in the trusted list; and directing the trafficreceived from the client to a designated network appliance connected toa trusted zone, wherein the network appliance is identified by at leastone of: a port number, a MAC address, a VLAN ID, and an IP address. 22.The method of claim 20, wherein the traffic from the trusted client isdirected to the first group of computing resources over a secured pathestablished through the at least one network element and the ADC. 23.The method of claim 20, wherein the traffic diversion is transparent toan application protocol utilized by the clients.